Local break-in at allergy clinic results in 25,000 stolen patient records

|

Date Reported:
8/6/10

Organization:
Fort Worth Allergy and Asthma Associates

Contractor/Consultant/Branch:
None

Location:


Victims:
Patients

Number Affected:
25,000

Types of Data:
Personal information including Social Security numbers, birth dates, addresses, and diagnoses

Breach Description:
FORT WORTH -- In June, employees at a Fort Worth allergy clinic discovered that the office door had been kicked in and four computers containing patients' personal information including Social Security numbers and birth dates had been stolen.

Reference URL:
Star-Telegram

Report Credit:
Jan Jarvis, Star-Telegram

Response:
From the online source cited above:

FORT WORTH -- In June, employees at a Fort Worth allergy clinic discovered that the office door had been kicked in and four computers containing patients' personal information including Social Security numbers and birth dates had been stolen.
[Evan] Too many people consider information security to be an IT issue, and this is a good example of where a physical security compromise can also lead to a breach.  Do you suppose there was an alarm system in place, or any camera surveillance?

This week Fort Worth Allergy and Asthma Associates spent $15,000 mailing letters notifying the clinic's 25,000 patients of the burglary.
[Evan] Fifteen grand is a bargain.  Of course you could lose patients, and there could be some legal costs including regulatory fines and/or civil penalties.  What about the victims?  Will they suffer costs as a result of this easily preventable breach?

The stolen computer database also contained patient's addresses and diagnoses, Dr. Robert Rogers said.

"In terms of sensitive clinical information that could be taken, we're an allergy clinic so I don't think there was anything embarrassing taken," he said. "It's bad enough that they did get identity information like Social Security numbers."
[Evan]  What?!  Does this like a statement from someone who doesn't get it?  The clinic should be embarrassed about the lack of protection given to sensitive patient information.  The patients are the owners of this information, not the clinic.  An attitude like this would tick me off if I were personally involved.

"The cost of doing the mailing is more than cost of replacing the equipment," Rogers said.
[Evan] What about the potential costs to your patients?!

After the burglary, Rogers said he had no idea what kind of challenge his office would face notifying every patient.

"We had a backup of the database, so once we got the new computers in we had to re-establish the database, then create this enormous mailing list," he said.

After some researching they discovered they could outsource the task of addressing all the letters. And the clinic's business insurance covered it.
[Evan] Insurance covered it, so this will eventually raise premiums for others (even if slightly).  So, it only cost the clinic $15,000 (so far).  We don't know how much it may cost victims or other business insurance customers, do we?

The clinic has not converted to an electronic medical record system and none of the patients' charts were taken in the June 29 burglary. But because the database was password-protected, there was a possibility that someone could circumvent the security, Rogers said.
[Evan] Did anyone think to encrypt sensitive fields in the database?

As a precaution, patients were advised to notify one of the credit bureaus to place a fraud alert on their accounts.

None of the stolen property has been recovered. But to prevent a similar loss, all personal information is now stored in an off-site server with access allowed only through a secured, encrypted virtual private network, Rogers said.
[Evan] Good, I suppose.  What are the physical security protections employed at the off-site location, and is there any option to encrypt the sensitive data at rest?

Commentary:
Judging from what I read, the clinic is much more concerned about themselves than they are about their patient's sensitive information.  I could be wrong, and I hope I am.

Past Breaches:
Unknown

Posted by Evan Francen at 8/16/2010 3:47 PM
Categories: Stolen Computer, Fort Worth Allergy and Asthma Associates
 
Trackbacks
Trackback specific URL for this post
  • No trackbacks exist for this post.
Comments
  • No comments exist for this post.
Leave a comment